Detect obfuscated malware in npm supply chains
npm supply-chain scanner catching obfuscated payloads, credential stealers, eBPF rootkits, and AI-key attacks that npm audit misses.
Why it matters
Scan npm packages and dependencies for advanced supply chain attacks that traditional tools miss-obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, worm propagation, and campaign-specific signatures from real-world incidents like Megalodon, Mini Shai-Hulud, TrapDoor, and node-ipc compromise.
Outcomes
What it gets done
Identify obfuscated preinstall hooks and eval chains using AST-level heuristic analysis
Detect conditional triggers that activate only in CI/CD or production environments
Catch typosquatting, HuggingFace org impersonation, and registry poisoning attempts
Export findings to SARIF, SBOM (CycloneDX/SPDX), SIEM formats, and compliance reports
Install
Add it to your toolbox
Run in your project directory:
curl -fsSL https://spark.entire.vc/get/lateos-ai-npm-scan | bash Capabilities
Tools your agent gets
Scans npm packages for supply chain attacks, obfuscation, malware, and campaign indicators
Analyzes package-lock.json, yarn.lock, and pnpm-lock.yaml for malicious dependencies
Detects VS Code extension supply chain attacks and malicious marketplace packages
Overview
Npm Scan
What it does
Supply-chain security scanner for npm packages that detects behavioral attacks - obfuscated payloads, credential stealers, eBPF kernel rootkits, memory-level token extraction, GitHub author spoofing, and AI-platform-targeted attacks - that CVE-based tools like npm audit and Snyk miss.
How it connects
Use it to scan a package or an entire lockfile for supply-chain attacks before installing or shipping it, or as a CI/CD gate that fails a build on critical findings. It runs locally with no telemetry, in under 30 seconds per run.
Source README
npm-scan
Supply chain threat detection that catches what npm audit, Snyk, and Socket miss.
Detects obfuscated payloads, credential stealers, kernel rootkits, eBPF hooks, memory extraction, GitHub spoofing, and AI-targeted attacks.
Why npm-scan?
Traditional tools are outdated. npm audit checks CVE databases. Snyk scans dependency versions. Neither catches behavioral patterns.
The 2026 wave of attacks:
- eBPF kernel rootkits (invisible to monitoring)
- Memory-level credential extraction (OIDC tokens)
- Self-defending code (anti-debugging, anti-tampering)
- GitHub author spoofing ("claude@users.noreply.github.com")
- AI platform targeting (Claude, OpenAI, Cursor, Mistral keys)
- Worm-like propagation (auto-republish with stolen tokens)
npm-scan detects all of these. 95%+ confidence on real campaigns.
Coverage: npm-scan vs Industry Tools
| Attack Vector | npm-scan | npm audit | Snyk | Socket | Sonatype |
|---|---|---|---|---|---|
| Miasma/Hades (binding.gyp) | ✅ 95% | ❌ 0% | ❌ 0% | ⚠️ 40% | ❌ 0% |
| eBPF Kernel Rootkit | ✅ 95% | ❌ 0% | ❌ 0% | ❌ 0% | ❌ 0% |
| AI Token Targeting | ✅ 98% | ❌ 0% | ❌ 0% | ❌ 0% | ❌ 0% |
| GitHub Author Spoofing | ✅ 99% | ❌ 0% | ❌ 0% | ❌ 0% | ❌ 0% |
| Memory Credential Extraction | ✅ 95% | ❌ 0% | ❌ 0% | ⚠️ 20% | ❌ 0% |
| Self-Defending Code | ✅ 95% | ❌ 0% | ⚠️ 25% | ⚠️ 45% | ❌ 0% |
| Module-Load Execution | ✅ 95% | ❌ 0% | ❌ 0% | ⚠️ 50% | ❌ 0% |
| Known CVEs | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
Legend: ✅ = 85%+ detection | ⚠️ = 15-80% detection | ❌ = 0% detection
Risk Reduction & Compliance
Single tool approach = Blind spot = Expensive liability
A compromised npm package costs your company:
- Data breach: $4.5M average (IBM, 2024)
- Regulatory fines: SOC 2 violations ($100K+), GDPR ($10M+), compliance audits
- Downtime: $5K-$50K per hour in lost revenue
- Reputation: Brand damage, customer trust erosion
- Legal: Lawsuits from affected customers, liability claims
Traditional tool alone misses behavioral attacks. If npm audit + Snyk see nothing, but attackers steal your AWS credentials via a behavioral pattern, you're liable.
npm-scan + npm audit = Complete coverage = Risk reduction
By catching the 95%+ of attacks that traditional tools miss, you reduce:
- ✅ Breach probability (behavioral detection catches attacks before damage)
- ✅ Compliance violation risk (due diligence: you used multiple detection methods)
- ✅ Financial liability (auditors will ask: "How did you verify supply chain security?")
- ✅ Customer impact (faster detection = faster remediation = fewer affected customers)
Cost-benefit: npm-scan ($2.4K/year enterprise) vs. data breach ($4.5M average). ROI: 1,875x.
What It Detects
| Category | Examples | Detection |
|---|---|---|
| Credential Theft | Env var harvesting, token exfiltration | 98% |
| Kernel Attacks | eBPF rootkits, privilege escalation | 95% |
| Code Evasion | Obfuscation, self-defending code, anti-debug | 95% |
| Memory Extraction | OIDC token access, AI key targeting | 95% |
| GitHub Attacks | Author spoofing, force-push hijacking | 99% |
| Worm Propagation | Auto-republish via stolen credentials | 95% |
Quick Start
# Install
npm install -g @lateos/npm-scan
# Scan a package with known vulnerabilities
npm-scan axios
# Scan your lockfile
npm-scan scan-lockfile
# Export findings to JSON
npm-scan express --json > findings.json
Key Features
- ✅ 23 detectors (D1-D25) covering supply chain attack vectors
- ✅ Real campaign validation (IronWorm, Miasma, Dependency Confusion)
- ✅ Runs locally - no telemetry, no cloud dependency
- ✅ Fast - <30 seconds per CI/CD run
- ✅ Policy-as-code - YAML allowlists, severity overrides
- ✅ SBOM + SARIF - CycloneDX, SPDX, GitHub Security
- ✅ GitHub Action - One-liner CI/CD integration
- ✅ Docker - Multi-arch images
Learn more: lateos.ai/npm-scan
CI/CD Integration
# GitHub Actions example
- name: Scan with npm-scan
run: |
npm install -g @lateos/npm-scan
npm-scan scan-lockfile --fail-on critical
Works with GitHub Actions, GitLab CI, Jenkins, or any CI/CD platform.
Licensing
Free (MIT): Individuals, open-source projects, and teams evaluating for production - no time limit.
Paid (BLA): Required when your team ships to production commercially.
Evaluate freely. Purchase when you're ready to ship.
See LICENSING.md for details.
Commercial use? See licensing tiers - $799/yr (small team) to $9,900/yr (enterprise). Volume discounts available.
More
Scan your first package:
npx @lateos/npm-scan scan axios
Discussion
Questions & comments · 0
Sign In Sign in to leave a comment.